| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "net/base/x509_certificate_nss_util.h" |
| 6 |
| 7 #include <nss.h> |
| 8 #include <secder.h> |
| 9 |
| 10 #include "base/logging.h" |
| 11 #include "base/pickle.h" |
| 12 #include "base/time.h" |
| 13 #include "crypto/nss_util.h" |
| 14 #include "crypto/scoped_nss_types.h" |
| 15 #include "net/base/x509_certificate.h" |
| 16 |
| 17 namespace net { |
| 18 |
| 19 namespace { |
| 20 // Callback for CERT_DecodeCertPackage(), used in |
| 21 // CreateOSCertHandlesFromBytes(). |
| 22 SECStatus PR_CALLBACK CollectCertsCallback(void* arg, |
| 23 SECItem** certs, |
| 24 int num_certs) { |
| 25 X509Certificate::OSCertHandles* results = |
| 26 reinterpret_cast<X509Certificate::OSCertHandles*>(arg); |
| 27 |
| 28 for (int i = 0; i < num_certs; ++i) { |
| 29 X509Certificate::OSCertHandle handle = |
| 30 X509Certificate::CreateOSCertHandleFromBytes( |
| 31 reinterpret_cast<char*>(certs[i]->data), certs[i]->len); |
| 32 if (handle) |
| 33 results->push_back(handle); |
| 34 } |
| 35 |
| 36 return SECSuccess; |
| 37 } |
| 38 } // namespace |
| 39 |
| 40 namespace x509_certificate_nss_util { |
| 41 |
| 42 void ParsePrincipal(CERTName* name, CertPrincipal* principal) { |
| 43 typedef char* (*CERTGetNameFunc)(CERTName* name); |
| 44 |
| 45 // TODO(jcampan): add business_category and serial_number. |
| 46 // TODO(wtc): NSS has the CERT_GetOrgName, CERT_GetOrgUnitName, and |
| 47 // CERT_GetDomainComponentName functions, but they return only the most |
| 48 // general (the first) RDN. NSS doesn't have a function for the street |
| 49 // address. |
| 50 static const SECOidTag kOIDs[] = { |
| 51 SEC_OID_AVA_STREET_ADDRESS, |
| 52 SEC_OID_AVA_ORGANIZATION_NAME, |
| 53 SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME, |
| 54 SEC_OID_AVA_DC }; |
| 55 |
| 56 std::vector<std::string>* values[] = { |
| 57 &principal->street_addresses, |
| 58 &principal->organization_names, |
| 59 &principal->organization_unit_names, |
| 60 &principal->domain_components }; |
| 61 DCHECK(arraysize(kOIDs) == arraysize(values)); |
| 62 |
| 63 CERTRDN** rdns = name->rdns; |
| 64 for (size_t rdn = 0; rdns[rdn]; ++rdn) { |
| 65 CERTAVA** avas = rdns[rdn]->avas; |
| 66 for (size_t pair = 0; avas[pair] != 0; ++pair) { |
| 67 SECOidTag tag = CERT_GetAVATag(avas[pair]); |
| 68 for (size_t oid = 0; oid < arraysize(kOIDs); ++oid) { |
| 69 if (kOIDs[oid] == tag) { |
| 70 SECItem* decode_item = CERT_DecodeAVAValue(&avas[pair]->value); |
| 71 if (!decode_item) |
| 72 break; |
| 73 // TODO(wtc): Pass decode_item to CERT_RFC1485_EscapeAndQuote. |
| 74 std::string value(reinterpret_cast<char*>(decode_item->data), |
| 75 decode_item->len); |
| 76 values[oid]->push_back(value); |
| 77 SECITEM_FreeItem(decode_item, PR_TRUE); |
| 78 break; |
| 79 } |
| 80 } |
| 81 } |
| 82 } |
| 83 |
| 84 // Get CN, L, S, and C. |
| 85 CERTGetNameFunc get_name_funcs[4] = { |
| 86 CERT_GetCommonName, CERT_GetLocalityName, |
| 87 CERT_GetStateName, CERT_GetCountryName }; |
| 88 std::string* single_values[4] = { |
| 89 &principal->common_name, &principal->locality_name, |
| 90 &principal->state_or_province_name, &principal->country_name }; |
| 91 for (size_t i = 0; i < arraysize(get_name_funcs); ++i) { |
| 92 char* value = get_name_funcs[i](name); |
| 93 if (value) { |
| 94 single_values[i]->assign(value); |
| 95 PORT_Free(value); |
| 96 } |
| 97 } |
| 98 } |
| 99 |
| 100 void ParseDate(const SECItem* der_date, base::Time* result) { |
| 101 PRTime prtime; |
| 102 SECStatus rv = DER_DecodeTimeChoice(&prtime, der_date); |
| 103 DCHECK_EQ(SECSuccess, rv); |
| 104 *result = crypto::PRTimeToBaseTime(prtime); |
| 105 } |
| 106 |
| 107 std::string ParseSerialNumber(const CERTCertificate* certificate) { |
| 108 return std::string(reinterpret_cast<char*>(certificate->serialNumber.data), |
| 109 certificate->serialNumber.len); |
| 110 } |
| 111 |
| 112 void GetSubjectAltName(CERTCertificate* cert_handle, |
| 113 std::vector<std::string>* dns_names, |
| 114 std::vector<std::string>* ip_addrs) { |
| 115 if (dns_names) |
| 116 dns_names->clear(); |
| 117 if (ip_addrs) |
| 118 ip_addrs->clear(); |
| 119 |
| 120 SECItem alt_name; |
| 121 SECStatus rv = CERT_FindCertExtension(cert_handle, |
| 122 SEC_OID_X509_SUBJECT_ALT_NAME, |
| 123 &alt_name); |
| 124 if (rv != SECSuccess) |
| 125 return; |
| 126 |
| 127 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
| 128 DCHECK(arena != NULL); |
| 129 |
| 130 CERTGeneralName* alt_name_list; |
| 131 alt_name_list = CERT_DecodeAltNameExtension(arena, &alt_name); |
| 132 SECITEM_FreeItem(&alt_name, PR_FALSE); |
| 133 |
| 134 CERTGeneralName* name = alt_name_list; |
| 135 while (name) { |
| 136 // DNSName and IPAddress are encoded as IA5String and OCTET STRINGs |
| 137 // respectively, both of which can be byte copied from |
| 138 // SECItemType::data into the appropriate output vector. |
| 139 if (dns_names && name->type == certDNSName) { |
| 140 dns_names->push_back(std::string( |
| 141 reinterpret_cast<char*>(name->name.other.data), |
| 142 name->name.other.len)); |
| 143 } else if (ip_addrs && name->type == certIPAddress) { |
| 144 ip_addrs->push_back(std::string( |
| 145 reinterpret_cast<char*>(name->name.other.data), |
| 146 name->name.other.len)); |
| 147 } |
| 148 name = CERT_GetNextGeneralName(name); |
| 149 if (name == alt_name_list) |
| 150 break; |
| 151 } |
| 152 PORT_FreeArena(arena, PR_FALSE); |
| 153 } |
| 154 |
| 155 X509Certificate::OSCertHandles CreateOSCertHandlesFromBytes( |
| 156 const char* data, |
| 157 int length, |
| 158 X509Certificate::Format format) { |
| 159 X509Certificate::OSCertHandles results; |
| 160 if (length < 0) |
| 161 return results; |
| 162 |
| 163 crypto::EnsureNSSInit(); |
| 164 |
| 165 if (!NSS_IsInitialized()) |
| 166 return results; |
| 167 |
| 168 switch (format) { |
| 169 case X509Certificate::FORMAT_SINGLE_CERTIFICATE: { |
| 170 X509Certificate::OSCertHandle handle = |
| 171 X509Certificate::CreateOSCertHandleFromBytes(data, length); |
| 172 if (handle) |
| 173 results.push_back(handle); |
| 174 break; |
| 175 } |
| 176 case X509Certificate::FORMAT_PKCS7: { |
| 177 // Make a copy since CERT_DecodeCertPackage may modify it |
| 178 std::vector<char> data_copy(data, data + length); |
| 179 |
| 180 SECStatus result = CERT_DecodeCertPackage(&data_copy[0], |
| 181 length, CollectCertsCallback, &results); |
| 182 if (result != SECSuccess) |
| 183 results.clear(); |
| 184 break; |
| 185 } |
| 186 default: |
| 187 NOTREACHED() << "Certificate format " << format << " unimplemented"; |
| 188 break; |
| 189 } |
| 190 |
| 191 return results; |
| 192 } |
| 193 |
| 194 X509Certificate::OSCertHandle ReadOSCertHandleFromPickle( |
| 195 PickleIterator* pickle_iter) { |
| 196 const char* data; |
| 197 int length; |
| 198 if (!pickle_iter->ReadData(&data, &length)) |
| 199 return NULL; |
| 200 |
| 201 return X509Certificate::CreateOSCertHandleFromBytes(data, length); |
| 202 } |
| 203 |
| 204 void GetPublicKeyInfo(CERTCertificate* handle, |
| 205 size_t* size_bits, |
| 206 X509Certificate::PublicKeyType* type) { |
| 207 // Since we might fail, set the output parameters to default values first. |
| 208 *type = X509Certificate::kPublicKeyTypeUnknown; |
| 209 *size_bits = 0; |
| 210 |
| 211 crypto::ScopedSECKEYPublicKey key(CERT_ExtractPublicKey(handle)); |
| 212 if (!key.get()) |
| 213 return; |
| 214 |
| 215 *size_bits = SECKEY_PublicKeyStrengthInBits(key.get()); |
| 216 |
| 217 switch (key->keyType) { |
| 218 case rsaKey: |
| 219 *type = X509Certificate::kPublicKeyTypeRSA; |
| 220 break; |
| 221 case dsaKey: |
| 222 *type = X509Certificate::kPublicKeyTypeDSA; |
| 223 break; |
| 224 case dhKey: |
| 225 *type = X509Certificate::kPublicKeyTypeDH; |
| 226 break; |
| 227 case ecKey: |
| 228 *type = X509Certificate::kPublicKeyTypeECDSA; |
| 229 break; |
| 230 default: |
| 231 *type = X509Certificate::kPublicKeyTypeUnknown; |
| 232 *size_bits = 0; |
| 233 break; |
| 234 } |
| 235 } |
| 236 |
| 237 } // namespace x509_certificate_nss_util |
| 238 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10928107:
Support x509 certificate on iOS. (Closed)
Base URL: http://git.chromium.org/chromium/src.git@master